CVE-2025-36460 is a vulnerability classified under CWE-805, indicating buffer access with incorrect length values, specifically in the Broadcom BCM5820X component integrated into Dell ControlVault3 and ControlVault3 Plus devices. The flaw arises from multiple out-of-bounds read and write conditions within the ControlVault WBDI Driver's Storage Adapter functionality. An attacker with local privileges can exploit this vulnerability by issuing a crafted WinBioControlUnit API call to the StorageAdapter, particularly using ControlCode 2 (WBIO_USH_GET_IDENTITY) with an improper ReceiveBufferSize parameter. This malformed input causes the driver to perform memory operations beyond allocated buffer boundaries, leading to memory corruption. The consequences of such corruption include potential arbitrary code execution, privilege escalation, or denial of service. The vulnerability requires low attack complexity but does need local privileges and user interaction, as indicated by the CVSS vector (AV:L/AC:L/PR:L/UI:R). The CVSS score of 7.3 reflects a high severity due to the combined impact on confidentiality, integrity, and availability. Currently, there are no known exploits in the wild, and no patches have been linked yet, emphasizing the need for vigilance and prompt remediation once updates are released.

For European organizations, this vulnerability poses significant risks, especially those relying on Dell hardware with Broadcom BCM5820X components for biometric authentication and security functions. Exploitation could allow attackers to corrupt memory, potentially leading to unauthorized access to sensitive biometric data, system compromise, or disruption of authentication services. This could undermine trust in identity verification systems, impacting sectors such as finance, healthcare, government, and critical infrastructure. The requirement for local privileges and user interaction somewhat limits remote exploitation but does not eliminate risk, particularly in environments where insider threats or social engineering attacks are plausible. The high impact on confidentiality, integrity, and availability could result in data breaches, operational downtime, and regulatory non-compliance under GDPR and other European data protection laws.

Organizations should prioritize monitoring for updates from Dell and Broadcom addressing this vulnerability and apply patches immediately upon release. Until patches are available, restrict access to the affected ControlVault devices and the WinBioControlUnit API, limiting usage to trusted users and processes. Implement strict local access controls and user privilege management to reduce the risk of exploitation. Employ endpoint detection and response (EDR) solutions to monitor for anomalous API calls or memory corruption indicators. Conduct user awareness training to mitigate social engineering risks that could lead to local exploitation. Additionally, review and harden biometric authentication configurations to minimize exposure. Regularly audit systems for unauthorized changes or suspicious activity related to ControlVault components.